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Abstract 

In this paper we present an algorithm for perform- 
ing runtime verification of a bounded temporal logic 
over timed runs. The algorithm consists of three el- 
ements. First, the bounded temporal formula to be 
verified is translated into a monadic first-order logic 
over difference inequalities, which we call monadic 
difference logic. Second, at each step of the timed 
run, the monadic difference formula is modified by 
computing a quotient with the state and time of that 
step. Third, the resulting formula is checked for be- 
ing a tautology or being unsatisfiable by a decision 
procedure for monadic difference logic. 

We further provide a simple decision procedure for 
monadic difference logic based on the data structure 
Difference Decision Diagrams. The algorithm is com- 
plete in a very strong sense on a subclass of tempo- 
ral formulae characterized as homogeneously monadic 
and it is approximate on other formulae. The approx- 
imation comes from the fact that not all unsatisfiable 
or tautological formulae are recognised at the earliest 
possible time of the runtime verification. 

Contrary to existing approaches, the presented al- 
gorithms do not work by syntactic rewriting but em- 
ploy efficient decision structures which make them ap- 
plicable in real applications within for instance busi- 
ness software. 



1 Introduction 
work 



and related 



Runtime verification is the task of verifying whether 
a running system, while it is running, satisfy given 
properties expressed in a suitable logic [HI [HI III HOl 
121 [6] . Contrary to model checking the verification is 
not done for the complete system before running it. 
It is in this sense a weaker verification, since only the 
particular run performed by the system is checked 
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Figure 1: The overall setup of the runtime verifier. A 
timed system transmits time-stamped states to the 
runtime verifier. The verifier is monitoring the valid- 
ity of the observed run with respect to a given tem- 
poral formula 4> and the last observed state s. The 
verifier has three states indicated by the traffic light: 
Failure, undertermined (could go either way), or ac- 
ceptance (no reason to monitor any further). 



and not all possible runs. However, it can be a much 
more appropriate verification since for model check- 
ing to give reliable results, a model of the environ- 
ment must be supplied and if this is not correctly 
capturing the environment the verification becomes 
unreliable: it might accept or reject a property be- 
cause of the existence of runs in the model which 
would never occur in practice. Figure [ijschematically 
illustrates the situation. 

It also turns out, somehow surprisingly, that in or- 
der to perform proper runtime verification that pro- 
vides timely responses at the earliest possible time 
of the run, a decision problem for the logic has to 
be solved. For most logics, this is complexity- wise 
a more difficult problem than the associated model 
checking problem, so runtime verification might in 
fact be more challenging than model checking despite 
the apparent simplification of the problem to a par- 
ticular run and not a quantification over all runs. 

Existing approaches to runtime verification use in- 
variance techniques [THl UHl dZ] > where a concurrent 
process is surveying the state of the system under 
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verification and checks that it always obeys an invari- 
ance property, or formulae rewriting [71 ^] , where in 
each step of a run the property formulae is rewrit- 
ten depending on the state of the current step. In 
[TO] an attempt was made to repeat the rewrite prin- 
ciple from [7] for quantitative temporal logic. This 
attempt, however, revealed difficulty in expressing, 
within the same logic, the property which must hold 
for the remaining run after rewriting based on the 
current step. Moreover, although being complete, no 
efficient methods to check a formula for being a tau- 
tology or unsatisfiable exists for these logics. And 
also, apparently there is no easy way to compute 
nearest deadlines, e.g. when (in the future) the cur- 
rent formula would become a tautology (or unsatisfi- 
able) provided that the current state does not change. 
In this paper we shall take an appoach which makes 
these things a whole lot easier. 

We take a different approach. By encoding the run- 
time problem as a satisfiability problem for a monadic 
first-order logic, we arrive at a different type of algo- 
rithm. This algorithm is capable of utilizing a power- 
ful decision structure for difference logic which inher- 
its some of the strengths of binary decision diagrams 

2 Bounded temporal logic and 
monadic difference logic 

We work with two logics: a bounded temporal 
logic (BTL) and a monadic difference logic (MDL). 
We assume a set of indexed propositions Prop ~ 
{pi,P2,.-.} and a corresponding set of indexed 
monadic predicates Pred — {Pi, P2, . ■ .}. The corre- 
spondance between propositions and predicates will 
be exploited in the translation of the temporal logic 
into monadic difference logic. 

Bounded temporal logic formulae are constructed 
from the following grammar: 

ip ::= pj I V'l A ^^2 I ^V' I always^-f/) 

where c G _ZR_|_ and we use _ZR_|_ for the set of non- 
negative reals. As usual there is a range of derived 
operators, e.g. eventually^,?/) = ^always^^?/;, and 
we use the standard definitions for V (disjunction), — > 
(implication), and <-!■ (biimplication) . The semantics 
of BTL is given over timed runs. A timed run is 
an infinite sequence of pairs ai — (s,;,ii) of a state 
Si C Prop and a time ti G _ZR+ : 

= (so,io)(si,ti) • • • {si,U) ■ ■ ■ 



such that io = 0,^^ < t^+i for all i G IN. We call 
a pair ai — {si,ti) a timed state. The state sq rep- 
resents the initial state of the system. The intended 
interpretation of a run, is that between two elements 
in the sequence, the state is unchanged. The elements 
thus represent the "events" taking place: an event is 
a state change decorated with a time stamp of when 
the change happens. For a pair ai = (si,ti) we use 
the functions s and t for the s- and components: 
5(0-1) = Si,t{at) = ti. 

We further assume that all runs have finite vari- 
ability (also referred to as non-zeno runs [T]) in the 
sense that for all t G M+, there exists i £ IN such 
that t < ti. This is a very reasonable assumption for 
timed runs coming from a running system. If the sys- 
tem stabilizes into no state change, redundant timed 
states can be generated at regular intervals. 

For u G we define (j{u) = cTj, where i is the 
largest index with t(ai) < u. For any u G -/R+, cr(M) 
is always well-defined because of finite variability and 
the fact that = 0. With this definition, <j{u) is the 
timed state at time u in the run a. The state of the 
system at time u is s{a{u)). 

We express that a timed run a satisfies a BTL for- 
mulae ■0 at time u as the relationship a |=„ i]j defined 
inductively as follows: 

cr |=„ iff G s{a{u)) 

o- h" "01 A -01 iff cr |=„ Vi and a \=u "(pi 

c \=u ^4' iff iiot a \=u 

a |=„ always^?/; iff 

for all u' with u < u' < u -\- c, a ip 

We use the abbreviation a \= ip ior a \=q ip. 

For monadic difference logic we use the presence 
of a set of first-order variables Var ranged over by 
X, y, z, u,v, . . .. Formulae in monadic difference logic 
are constructed from the following grammar: 

(p ::= P{x) \x-y <c\<pi/\(p2\^<p\ Wx.fp 

Without the monadic predicates, this logic is known 
as difference logic, separation logic SI [ID] j or dif- 
ference constraint expressions [16'. Monadic differ- 
ence logic is known to have a decision procedure in 
PSPACE [S]. 

We use the notation (p{xi, . . . , Xk; Pi, ... , Pi) for a 
formula with the free variables xi,...,Xk and the 
monadic predicates Pi, . . . , Pi. The semantics of a 
formula is then given with respect to an interpreta- 
tion of the variables as reals and the monadic predi- 
cates as subsets of reals, ti, . . . ,tk G 1R+, Si, . . . ,Si C 
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Figure 2: The relationship between a run a = 
({pi},0)({pi,p2},4)({p2},7)({pi},10) and the cor- 
responding monadic sets 5*1 and 82- In this ex- 
ample we have, for instance, (7(3) = ({pi},0) and 
a(9.99) = ({p2},7). 



(ii, . ..,tk; Si, ...,Si) ^ (j){xi,. ..,Xk; Pi, • • ■,Pi)- 

The definition of satisfaction is straightforward by 
interpreting Xj as tj and Pj{x) as x Sj. We use 
1= (/) if their exists tj's and Sj's such that the above 
holds. 

In difference logic only relative bounds of variables 
can be expressed. The syntax does not allow for ex- 
pressions such as X < c. However, by introducing a 
special "zero" variable z, which can be read as having 
constantly the value zero, we obtain a similar expres- 
siveness without complicating the logic. 

3 Translating BTL to MDL 

The first phase in obtaining a runtime verifier is to 
translate the bounded temporal logic formulae into 
monadic difference logic. The key ingredient is to use 
monadic predicates instead of propositions referring 
to timed states of the run. For each proposition pj, 
we use a monadic predicate Pj such that Pj (u) holds 
if and only if pj G s{a{u)). In terms of semantics, 
runs will be translated to a collection of subsets of 
reals. For a proposition pj, and a run a, the j'th set 
of reals Sj, is the set of time points for which pj holds 
in a. I.e., given a run a the corresponding sets are 
Sia) = . . . , Ski^)), defined by: 

5, (a) = {ueR+\pje.s{a{u))}. 

The (monadic) set Sj is the semantical interpreta- 
tion of the monadic predicate Pj. An example of the 
relationship between propositions and monadic sets 
is shown in figure [2] 

With monadic predicates, the translation is very 
close to being a translation into the meta-logic used 



in the semantics. The translation is defined induc- 
tively for an arbitrary "starting point" x and goes as 
follows: 

T{Pj)x = Pj{x) 

T{3ilva.ysjj)x = ^y. Q <y ~ x < c ^ T{ip)y 

For the derived operator eventually^?/' we obtain 
r(eventually^'(/')x = ^y.O < y — x < c A T(ip)y. 
Observe, that T{ip)x has only one free variable, x, 
that can be thought of as the "starting time" . 

Lemma 1 (Translation correctness) For all 

hounded temporal formulae ijj, timed runs a, and 
time points t G , we have 

a \=t ip, if and only if (t; S{a)) |= T('(/')z • 

Example. As an example consider the BTL formula: 

ip — eventuallyg alwaysg p2 

It translates to: 

T(V')2 = 3x. 0<x-z<8 

AVy. 0<y-a;<3^P2(?/). 

Reading this, it states that there must exist a time 
point X no more than 8 time units after z, such that 
for all time points y no more than 3 time units after 
a;, P2 holds for y. 

4 Quotienting 

In runtime verification we receive one timed state ai 
of the run at a time. Our approach will be to trans- 
late the temporal formula under verification, '0, to a 
monadic formula using the translation = T{tp)z. 
After receiving each new timed state of the run, we 
transform (j) in order to take the additional infor- 
mation into account given by the timed state. If 
ffi and (Ji+i are two consecutive timed states of the 
run, we form the quotient (f)/ atai+i with the property 
that the state information in Uiai+i has been tak- 
ing into account such that the resulting formula no 
longer refers to state in the timing interval given by 
fji and (Ti+i. Recall that on each point in the interval 
[t{ai);t{aij^.i)[ the state is s{cTi) and in the endpoint 
i(CTi+i) the state is s(CTi+i). 
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Pj{x)l (s^)(s',t') 

(l>l A 02/(s,t)(s',t') 
^'/'/(s,t)(s',t') 



t < X - z <t' V {f < X 

t<X~Z<t'\J 

X — y < c 

{4>ll{s,t){s',t')) A {<t>2/{s,t){s',t')) 
^X.{(l)/(s.t)is',t')) 



{t' < X - Z A Pj{x)) if Pj ^ S,Pj ^ s' 

{f < X - z A Pj{x)) if Pj ^ s,pj e s' 

{t' < X ~ z A Pj{x)) if Pj e s,pj ^ s' 

{t' < X — z A Pj{x)) if Pj e s,pj e s' 



(I) 
(11) 
(III) 
(IV) 



Figure 3: Quotienting of monadic difference formulae over a pair of timed states (s,t), {s' ,t') with t < t' . 



For two consecutive pairs of timed states, 
{s^t),{s' ,t') with t < t' we define the quotient in- 
ductively over monadic difference formulae as shown 
in figure [3] 

The quotient distributes over all operators and 
make only a change to the formula at the point when 
a monadic predicate is met. In fact, the quotient 
could also be viewed as simply the substitution 

<P[Pj{x)^Pj{x)/{s,t),{s',t')]j = l 

on all predicates Pj{x). In order to formally state the 
relevant properties of the quotient, we use the notion 
of two subsets of 5?+ agreeing on another subset: The 
sets S,S' C iR+ agree on D C R+ \{Sf^D = S'nD, 
ij3., Wt £ D.t e S ^ t e S'. Two collections of sets 
S, S' pairwise agree on D if for all j — Sj 
and S'j agree on D. A monadic difference formula (f) 
is independent of states on C C if, for all S, S' 
that pairwise agree on _D = 1R+ \ C, we have that for 
all teR\: 

{t; S) h if and only if, {t; S') ^ (j) . 

Further, we say that (s,t)(s',t') is consistent with 
Sj C 1?+, if 

{f e Sj <^ Pj e s'), and 

for all t".t< t" < t' ^ {t" e Sj ^ Pj € s) 

We can now formally state the properties of the quo- 
tient in the following lemma: 

Lemma 2 (Quotienting lemma) Let {s,t), {s' ,t') 
be pairs of timed states with t < t' and 4> a monadic 
difference formula with one free variable. 
(Independence) The quotient <j)/ (s,t),(s' .t') inde- 
pendent of the states on the interval [t;t']. 



(Correctness) If {s,t){s' ,t') is consistent with Sj 
for all 1 < j < I then for all t" G 1R\_ we have: 

{t";S)^cl, iff (t";^') h0/(M),(.',t')- 

(Preservation) If t < t' and (p is independent of 
the states on \t;t'] then (f>/ (s' ,t'){s" ,t") is independent 
of the states on [t; t"] . 

Given a timed run a with the finite prefix 
(T°~* — ctqcti ■ ■ ■ of its first z -I- 1 > 2 timed 
states, we denote by 4>/ ^o-i the repeated quotient 
4>/ aa<Ji/ <Jia2/ ■■■ I (Ti-iai- From the independence and 
preservation properties, it follows that (j)/ ^o-i is in- 
dependent of states on [0;i((Ti)]. In order words the 
formula (p has been modified to reflect the past and 
its validity now only depends on the future. If (p/ „o-i 
is a tautology, then no matter what timed states will 
occur in the future, we know that <f> is going to hold 
for all runs. Similarly, if (pj „a-i is unsatisfiable, no 
possible future run will be able to make (p become ful- 
filled. Checking for these two situations is the main 
part of our first runtime verification algorithm. 

Example (continued). Consider again the temporal 
formula ip) = eventuallyg alwaysg pi with transla- 
tion T(^)2 = 3a;. 0<a;-z<8AVy. 0<?/-a;< 
3 P2{y)- The quotient r(-!/;) J({p^}_o)({pi,p2},4) can 
be computed to be 

3x. < X - z < 8 A^y. < y - X < 3 ^ 

iP2{y)/{{pi}.o){{pi,P2}A))i 

using the cases for 3, A etc. of the quotienting of 
figure |3] Furthermore, we have according to case (II) 
of the quotienting on monadic predicates in figure |3] 
that P2{y)/{{pi}fi){{puP2}A) becomes 

y-z = 4:V{4:<y-zA P2{y)) . 
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This gives the combined result: 

3x. 0<a;-z<8AVy. 0<y-a;<3^ 
y - z = {i < y - z /\ P2iy)) . 

We call this expression and can now compute the 
next quotient 4'/ {{pi.p2}A}({p2},7)- Using the various 
cases of the quotienting of figure [3] in particular case 
(IV), it is not hard to see that we end with: 

3a;. 0<a;-z<8AVy. 0<y-a;<3^ 
y_z = 4V4<t/-z<7V 
{7 < y ^ z A P2iy)) . 

This can be simplified to: 

3x. < X - z < 8 A^y. < y - X < 3 
4<y-z<7V(7<y-zA P2{y)) . 

Notice, that taking x = A the universal quantifica- 
tion becomes true irrespectively of the monadic pred- 
icate P2{y)- Therefore, this expression is a tautology 
and it would be safe for a runtime verifier to conclude 
at time 7 that the formula is fulfilled. 

5 Runtime verification algo- 
rithms: MDLV and DLV 

In |S] a PSPACE decision algorithm for monadic dif- 
ference logic is described. In the runtime verifica- 
tion algorithm we use isTautMDL(0) to denote a 
run of this algorithm to check for tautologiness, and 
isUnsatMDL((/!)) to denote a run checking for unsat- 
isfiability. The general checking algorithm is shown 
in figure |4] 

Although correct and complete, the algorithm is 
going to be rather impractical because of the com- 
plicated decision procedure for MDL [8]. Instead, we 
develop a much more efficient algorithm utilizing Dif- 
ference Decision Diagrams [Ml El HSl HS] [Ml [12]. 
This algorithm is going to use properties of formu- 
lae being monotonic in the monadic predicates. To 
make this more explicit, we assume that the monadic 
difference formula is converted to positive form by re- 
quiring it to be expressed in the following restricted 
grammar: 

(j) ::= P{x) I ^P{x) \ x — y<c\x — y^c\ 
01 A (/i2 I (/"i V 02 I Va;.0 | Bx.cj) . 

A formula is converted to positive form by pushing 
negations down through the operands, dualizing the 



1: MDLV(V') 

2: := r(^)o 

3: t:^0 

4: s := So /* initial state at time */ 

5: while not isTautMDL(0) 

5a: and not isUnsatMDL(0) 

6: wait for next timed state {s',t') 

7: := 0/(s,t),(s',t') 

8: s := s' 

9: t := t' 

10: end 

11: if isTautMDL((?!)) then 
11a: ^ is already fulfilled by current run 

12: else ip will never be fulfilled by 
12a: continuing the current run 

Figure 4: MDLV: Monadic Difference Logic Verifier. 
A runtime verification algorithm using a general de- 
cision procedure for monadic difference logic. It is 
sound and complete. 

operands, and continue until a negation gets absor- 
ped by another negation or hits a monadic pred- 
icate or inequality. We collectively refer to P{x) 
and -^P{x) as the literal predicates and name them 
as Li,i — l,...,2fc taking Li ~ Pi,i — l,...,fc, 
Lk+i — ~^Pi, i — 1, ■ ■ ■ ,k. 

For a formula 4> in positive form we denote by 
(j) the literal version, where the Li's are used ex- 
plicitly in place of the literal predicates. For in- 
stance, if = Pi{x) A {^P2{y) V ^Pi(y)) then cj) = 
Li{x) A {Lk+2{y) V Lk+i{y)). Notice, that $ enjoys 
a particular monotonicity property of its literals: the 
more reals on which they hold, the "more valid" the 
formula becomes. To make this precise, we first ex- 
tend the subset-ordering on sets of reals pointwise to 
fc-coUections of reals: C S"' if and only if for all 
j = 1 , . . . , 2fc we have Sj C S'j . 

Lemma 3 // S, S' are two 21 -collections of subsets 
of 1R+ with S C S' , then for any <p in positive form 
with predicates among Pi,..., Pi and corresponding 
literal version (j) we have: 

• // {t; 5) h then {t; S') h 0- 

• // {t; 5*0 ^ then {t; S) 0. 

As an immediate corollary, we get a method for reduc- 
ing tautology-checking for MDL to difference logic by 
replacing literal predicates with the constants (for 
falsehood) and 1 (for truth): 
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Corollary 4 Let (p he a monadic difference formula 
in positive form, with predicates among Pi , . . . , P; . 
Take (fP = (^[0/Li]fii and (f)^ = ^[1/L,]f^^ then we 
have: 

• // is a tautology, then (j) is a tautology. 

• // (f)^ is unsatisfiable, then (f> is unsatisfiable. 

We can now use simpler decision procedures because 
we can safely replace the monadic predicates with 
constants. This gives rise to the algorithm in fig- 
ure[6]where we used DDD-based decision procedures. 
DDDs are introduced in the next section. 

Of course, the method in general only provides a 
sufficient test for tautologiness, and is not complete as 
we might have that (/> is a tautology without 0° being 
one. A simple example is = Vx. Pi{x) V ^Pi(x), 
which is clearly a tautology, but (fP — \/x. V ^ 
is not. (In fact, 0° is unsatisfiable in this case.) 
One way of thinking about the substitution of false 
respectively true for the hteral predicates is as that 
of "assuming the least about the future" . Although, 
this might seem a rather crude approximation, it will 
turn out that for an interesting class of properties, 
the algorithm is in fact going to be complete. First, 
however, we introduce the efficient underlying data 
structure of DDDs. 



< y — X 



y ~ X < 3 




Figure 5: An example of a DDD representing the 
solutions to the difference inequality expression < 
y — x<3^4:<y — z<7. All edges are directed 
downwards. In this DDD all paths are feasible (i.e., 
every path is traversed by some assignment.) 



6 DDDs 

Difference Decision Diagrams (DDDs) [Ijj^ is a data 
structure for representing sets of spaces as defined 
by difference inequalities. More precisely, they are 
used for manipulating spaces defined by the following 
little grammar for difference logic (without monadic 
predicates): 

::= X — y < c \ -^(j) \ (pi /\4>2 \ . 

DDDs is an extension of Binary Decision Diagrams 
[3], using an annotation of nodes with difference in- 
equalities instead of Boolean variables. Figure [5] 
shows the DDD for0<?/-a;<3-^4<?/-z<7 
(the body of the resulting expression in the example 
above with substituted for P2(y)). The DDD is read 
as follows: For a given set of assigment of values to 
the variables x,y,z, the expressions are evaluated in 
the nodes starting from the root. If a node evaluates 
to true the solid edge is followed to the next node. If 
a node evaluates to false the dashed edge is followed. 
If eventually the terminal node 1 is reached, the as- 
signment belongs to the set represented by the DDD, 
and if is reached it does not. 

DDDs are not canonical and atypical DDD will 
contain infeasible paths, i.e., paths traversed by no 
assignments. However, there are efficient heuristic 
algorithms for testing tautologiness and satisfiability 
as well as for realizing the logical operators as manip- 
ulations of the data structure. Details can be found 
in [16] and [12]. 

Using isTautDDD and isUnsatDDD we obtain 
soundness, i.e., if DLV determines fulffilment or non- 
fulfillment of the formula on a run, this is correct. 
However, there is no general guarantee on always 
reaching this decision. 

Lemma 5 (DLV Soundness) DLV is sound. 

An example of a somewhat stupid formula for which 
MDLV will give the correct answer immediately, but 
DLV not until time point c is the following: 

eventually^p A always^^^p . 

Recalling the definition of the eventuality modal- 
ity, this formula is equivalent to (^always^^p) A 
always^^p, which through propositional reasoning is 
clearly unsatisfiable. When translated into monadic 
difference logic there will be a P and a ^P, which 
are both replaced by the constant or 1 in the DLV 
algorithm. Although this example is so simple it is 
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1: DLV(7/') 

2: (f) :— positive form of T{i/j)z 

3: i := 

4: s :— sq /* initial state at time */ 

5: 0" := 0[O/L,]|^i 

6: 01 := 

7: while not isTautDDD(0") 
7a: and not isUnsatDDD(0i) 

8: wait for next {s',t') 

9a: /* remains in positive form */ 

10: t := t' 

11: s := s' 

12: 00 := 0[O/L,]2fc^ 

13: 01 := <P[llHti 

14: end 

15: if isTautDL(0O) then 
15a: "0 is already fulfilled by current run 

16: else -0 will never be fulfilled by 
16a: continuing the current run 

Figure 6: DLV: Difference Logic Verifier. A runtime 
verification algorithm using the two decision proce- 
dures for difference logic based on DDDs: isTautDDD 
and isUnsatDDD. 

easy to see how to fix it, this is not an easy task in 
general. But for a special class of formulae DLV is 
complete in a very strong sense. 

7 Homogeneously monadic for- 
mulae and completeness 

We will consider a large interesting subclass of for- 
mulae for which DLV is complete in a precise timely 
manner to be defined. First however we need to in- 
troduce the concept of homogenenously monadic for- 
mulae. For this we use PFP(0) to denote the set of 
predicates appearing positively in 0, not under any 
negation, and A^FP(0) to denote the set of predicates 
appearing inside a negation in 0. 

Definition 1 A monadic difference formula in pos- 
itive form is homogeneously monadic if all predi- 
cates appear consistently in positive or negative form 
m 0, I.e., PFP{cj)) n NFP{(I)) = 0. 

Lemma 6 ( Completeness for homogeneously 
monadic formulae) Assume (j) is a homogeneously 



monadic formula. Let 0" = 0[O/ii]fl]^ and 0^ = 
0[1/Li]fij. We then have: 

• (fP is a tautology, if and only if, is a tautology, 

• 0i is unsatisfiable, if and only if, is unsatisfi- 
able. 

Proof: The only if directions follow from corollary |4] 
For the other direction, assume first that is a tautol- 
ogy. This means that for all ^-collections of subsets 
of reals S, and /c- vector of reals t G we have 

{t; S) \= 0. In particular, it is valid for the collec- 
tion S with Sj = when Pj occurs (only) positively 
in 0, and Sj = 1R+ when Pj occurs only negatively 
or not at all in 0. Construct now a 2Z-collections of 
sets S' with each entry equal to 0. It is now clear 
that evaluates on S' to the same value as on S. 
Therefore, also 0° is a tautology. 

The case for unsatisfiability follows the same 
(dual) arguments, q 

A range of common type of formulae are indeed ho- 
mogeneously monadic. Examples are: 

1. "Leads to": 

r(always(pi —^ eventually^^pi))^. The 
proposition pi appears both positively and neg- 
atively but the translated monadic formulae in 
positive form Va;. > x — z V {^Pi{x) V 3y.O < 
y — X < 30 A -^Pi{x)), has Pi only appearing 
negatively. 

2. "Always eventually": 

r(always^eventually^pi)z. Contains only one 
occurence of Pi and is therefore trivially homo- 
geneously monadic. 

3. "Eventually always": 

T(eventually^always^pi)2. Contains also only 
one occurence of Pi. 

An example of a non-homogeneously monadic for- 
mula is T(alwayS|,pi A eventually^^pi)^. 

For a practical application such as alarms and 
alerts in business software it is highly desirable that 
a violation or fulfillment of a temporal formula is de- 
tected in time. In time can be interpreted as the 
earliest possible time t for which the formula, given 
the current run, is doomed to result in acceptance or 
rejection. 

Two different properties on a runtime verification 
algorithm could be applied here. First, if the algo- 
rithm upon receiving a timed state, which enforces 
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In order to make an algorithm such as DLV inter- 
nally timely complete, we compute t' — ET((/), s, t) = 
min{ETT(^,s,t),EUT(^,s,t)} and "inject" an extra 
timed state at this timepoint, if t' is not oo and no 
other timed state is received before t' . It amounts to 
replacing line 8 of the algorithm in figure [6] with the 
following: 



Figure 7: The overall setup of the runtime verifier 
with a timer in order to obtain timely announcements 
of tautologiness and unsatisfiability. 

the formula to be a tautology or unsatisfiable, de- 
tects this immediately, we consider it to be ( externally 
timely) complete. Second, if the algorithm further 
is capable of computing the next earliest time-point 
where, if the system does not change state before this 
time, the formula is doomed to become a tautology 
or unsatisfiable, we consider it to be internally timely 
complete. This last property could be used to warn 
about future failures (or successes) : If the state does 
not change before the next unsatisfiability timepoint, 
the rule fails. 

From lemma [6] the following corroUary immedi- 
ately follows: 

Corollary 7 DLV is externally timely complete for 
homogeneously monadic formulae. 

The property of being internally timely complete 
is harder to obtain. Let us first be precise about the 
required timepoint. Let the earliest tautology time- 
point from t abbreviated ETT(0, s, t) be the time t' , 
which is the earliest time t' >t for which the formula 
(j) becomes a tautology without changing the state, 
i.e., the smallest t' >t for which 4>/ {s,t).{s' ,t') is a tau- 
tology. If (j) is already a tautology, t' = t. If no such 
t' exists, we take ETT to be oo. Let EUT((/i,t) sim- 
ilarly be the earliest unsatisfiability timepoint from 
t, i.e. the smallest t' > t for which (t>/ [s,t),{s' .t') is 
unsatisfiable if such a t' exists and oo otherwise. 

Example. The formula T(eveiituallyj^Qpi)o on 
state (0,0) has ETT oo: A state change is required 
to make it a tautology. It has EUT 10. The formula 
r(alwaysioPi)o on state ({pj}, 0) has ETT 10. It has 
EUT oo. 

Being able to compute ETT and EUT is stronger 
than being able to compute tautologiness and unsat- 
isfiability because tautologiness follows from ETT if 
ETT is the current timepoint and similary for EUT 
and unsatisfibility. 



8a: compute t^t — ET(0, s, t) 
8b: wait for the first of 

next {s' ,t') and time-point iet 
8c: if time-point tet is reached before 

next state received take t' = t^t, s' = s 



The weakest unsatisfiability and tautology time- 
points might provide very interesting information in 
themselves. For instance, the earliest unsatisfiabil- 
ity timepoint indicates, when, if nothing happens, at 
what time the next property will fail. We leave it as 
an open question to find general algorithms for com- 
puting ETT and EUP. 



8 Other modalities 

The approach shown in this paper work for all tem- 
poral operators for which a translation to MDL is 
possible. There is for instance no problem adding 
these operators: 

-0 ::— • • • I always tjj \ af tercV' | 

betweenc,d'0 | | 
^iwa.t±l'ip2 

with the translations: 

T(always ■ip)^ Vy.O <y - x ^ T{ip)y 
T{a.fteTcip)x = ^y-c < y - X ^ T{')p)y 
T(betweenc,d '(/')x = 3y.c < y ~ x < d ^ T{ip)y 

r('i/'lUntil=c'02)3; = 

(Vy.O <y^x<c^ T{^i)v) A 

(Wu.u — X ~ C ^ T{lp2)u) 



T(%ljiUB.tl\lp2)x = 

3y.{Q<y~x^T{'^|J2)y^ 

Vu.(0 <u~x^u~y<Q)^ T{iji)u) 
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9 Conclusion and future work 

Wc have shown how to implement real-time runtime 
verification with an algorithm based on DifFerece De- 
cision Diagrams as the basis of decision procedures for 
difference logic. Of course, other for instance SAT- 
based solvers could be replaced for DDDs. The key 
step we show, is the reduction from the runtime ver- 
ification problem to a simpler decision problem on 
difference logic. 

We are currently implementing the DDD-based al- 
gorithms and will publish reports on the results else- 
where. A first running implementation was carried 
out in [5T]. Performance should be established on 
real data from for instance a business software appli- 
catoin. A discussion on an architecture that would 
allow a runtime verifier as the one presented in this 
paper to be applied to business software is discussed 
in 0. 

An interesting path to take is to work directly with 
the monadic difference logic in formulating properties 
of real systems. The algorithm work for the full logic, 
the question is to what extent it is easy and natural 
to formulate real properties in the logic. 

References 

[1] Rajeev Alur and David L. Dill. A theory of 
timed automata. Theoretical Computer Science, 
126(2):183-235, 1994. 

[2] Manfred Broy, Bengt Jonsson, Joost-Pieter 
Katoen, Martin Leucker, and Alexander 
Pretschner. Model-Based Testing of Reactive 
Systems: Advanced Lectures (Lecture Notes in 
Computer Science). Springer- Verlag New York, 
Inc., Secaucus, NJ, USA, 2005. 

[3] Randal E. Bryant. Graph-based algorithms for 
Boolean function manipulation. IEEE Transac- 
tions on Computers, 8(C-35):677-691, 1986. 

[4] Randal E. Bryant, Shuvendu K. Lahiri, and 
Sanjit A. Seshia. Modeling and verifying sys- 
tems using a logic of counter arithmetic with 
lambda expressions and uninterpreted functions. 
In Proc. Computer- Aided Verification (CAV), 
volume 2404 of Lecture Notes in Computer Sci- 
ence, Copenhagen, Denmark, July 2002. 

[5] S. Cotton, E. Asarin, O. Maler, and P. Niebert. 
Some progress in satisfiability checking for differ- 



ence logic. In FORMATS/FTRTFT 2004, vol- 
ume 3253 of LNCS, Grenoble, 2004. 

[6] Doron Drusinsky. Monitoring temporal rules 
combined with time series. In Rajeev Alur and 
Doron Peled, editors, CAV, volume 3114 of Lec- 
ture Notes in Computer Science, pages 114-117. 
Springer, 2004. 

[7] Klaus Havelund and Grigore Ruso. Monitoring 
programs using rewriting. In Automated Soft- 
ware Engineering (ASE'Ol), San Diego, Califor- 
nia, Novenber 2001. IEEE Computer Society. 

[8] Yoram Hirshfeld and Alexander Rabinovich. 
Logics for real time: Decidability and complex- 
ity. Fundamenta Informaticae, 62(l):l-28, 2004. 

[9] Kare J. Kristoffersen and Yvonne Dittrich. Ex- 
panding database systems into self- verifying en- 
tities. In Proceedings of the Third Work- 
shop on Modelling, Simulation, Verification and 
Validation of Enterprise Information Systems, 
MSVVEIS 05, Miami, Florida, USA, May 24th 
2005. 

[10] Kare J. Kristoffersen, Christian Pedersen, and 
Henrik R. Andersen. Runtime verification of 
timed LTL using disjunctive normalized equa- 
tion systems. In Proc. Runtime Verification 
(RV'03), volume 2404 of Electronic Notes in 
Theoretical Computer Science, Boulder, Col- 
orado, July 2003. 

[11] Jesper B. M0ller. DDDLIB: A Ubrary for solving 
quantified difference inequalities. In Automated 
Deduction - CADE-18 : 18th International Con- 
ference on Automated Deduction, Copenhagen, 
Denmark, July 27-30, 2002. Proceedings, volume 
2392 of LNCS. Springer, 2002. 

[12] Jesper B. M0ller. Symbolic Model Checking of 
Real-Time Systems Using Difference Decision 
Diagrams. PhD thesis, IT University of Copen- 
hagen, April 2002. 

[13] Jesper B. M0ller, Henrik Hulgaard, and Hen- 
rik Reif Andersen. Symbolic model checking of 
timed guarded commands using difference deci- 
sion diagrams. Journal of Logic and Algebraic 
Programming, 52(1-2), 2002. 

[14] Jesper B. M0ller, Henrik Hulgaard, and Hen- 
rik Reif Andersen. Timed Verification of Asyn- 
chronous Circuits, chapter Concurrency and 



9 



Hardware Design, pages 274-312. Advances in 
Petri Nets. Springer, 2002. 



[15] Jesper B. M0ller, Jakob Lichtenberg, Henrik R. 
Andersen, and Henrik Hulgaard. Fully symbolic 
model checking of timed systems using difference 
decision diagrams. In Proceedings of First In- 
ternational Workshop on Symbolic Model Check- 
ing, Trento, Italy, Electronic Notes in Theoreti- 
cal Computer Science, vol. 23-2, July 1999, pp. 
89-108, 1999. 

[16] Jesper B. M0ller, Jakob Lichtenberg, Henrik Reif 
Andersen, and Henrik Hulgaard. Difference De- 
cision Diagrams. In Proc. 13th International 
Conference on Computer Science Logic, volume 
1683 of Lecture Notes in Computer Science, 
Madrid, Spain, 20-25 September 1999. 

[17] Jan Peleska and Michael Siegel. From testing 
theory to test driver implementation. In Marie- 
Claude Gaudel and Jim Woodcock, editors, 

FME, vohime 1051 of Lecture Notes in Computer 
Science, pages 538 556. Springer, 1996. 

[18] A. Pnueli, M. Siegel, and E. Singerman. Transla- 
tion validation. Lecture Notes in Computer Sci- 
ence, 1384:151-^, 1998. 

[19] Amir Pnueli and Aleksandr Zaks. PSL model 

checking and run-time verification via testers. 
In Jayadev Misra, Tobias Nipkow, and Emil 
Sekerinski, editors, FM, volume 4085 of Lec- 
ture Notes in Computer Science, pages 573-586. 
Springer, 2006. 

[20] Ofer Strichman, Sanjit A. Seshia, and Randal E. 
Bryant. Deciding separation formulas with SAT. 

In Proc. Com,puter- Aided Verification (CAV), 
volume 2404 of Lecture Notes in Computer Sci- 
ence, Copenhagen, Denmark, July 2002. 

[21] Sudhakar Sudhakar. Efficient runtime verifica- 
tion using monadic difference logic and difference 
decision diagrams. Master's thesis, IT University 
of Copenhagen, November 2005. 



10 



